[Owasp-leaders] OWASP Board decision that I don't agree with

Wong Onn Chee ocwong at usa.net
Mon Jan 6 03:00:09 UTC 2014

Hi Tobias,

My vote as follow:

1. "Should OWASP give a developer training at the RSA conference?"

Choice: Yes

2. Should OWASP make a public statement to the effect that
subverting/weakening crypto is a bad idea.

Choice: Yes

Disclosure: I am the OWASP Singapore chapter lead and Singapore is
complicit with NSA as part of their global surveillance network,
something I am not so proud of.

After reading the valid comments by fellow leaders, let me share my
$0.02 on this topic.

The disclosed abuses by NSA perhaps arise from the kneejerk reactions to
the unfortunate 9/11 incidents.
Overly broad powers were given to certain bodies without proper
oversight or governance, all in the name of national security.
Now, with 20/20 hindsight, the downside of all these kneejerk reactions
are unravelling in front of our eyes.

Similarly, if we start OWASP down this slippery slope of empowering
OWASP to blacklist support for a particular entity (similar to the 9/11
kneejerk reactions), will such powers be open to abuse?
Why stop at RSA? How about Google, Microsoft and Yahoo? How about
Siemens (stuxnet)? How about Huawei?
How about countries deemed to be the top sources of webapp attacks?
Should we ban chapters in those countries and withdraw any official
engagement with these countries?
Where do we stop?

One can say that we can adopt an open "democratic" process to avoid abuses.
But all of us have seen abuses through lobbying by special interest
groups at international level, such as ISO (Remember the OOXML fast
track episode?), UN (Security Council where excessive powers are placed
in a minority group) etc.

My view is that OWASP should not start something that may lead to
possible future abuses.
Blacklisting support for entities subjectively goes against the OPEN
principle (the first word of OWASP) upon which OWASP was founded on.

Nevertheless, I am for making official statements/stands that OWASP is
against anything that weakens software security.
But instead of slamming the doors on the "guilty" parties, why not
embrace them and encourage them to be more open and be more secure?
This brings us closer to the founding principles of OWASP.

Thank you for spending time to read my ranting above.
Cheers and have a safe 2014! :-)

Best Regards
Onn Chee

"I say all security vulnerabilities are software-based. Prove me wrong if you dare"

On 06/01/2014 07:38, Tobias wrote:
> Hi Gustavo,
> following the conversation here, I have seen so far the following
> proposals from community members: 
> a) offer the training at the RSA conference unchanged under the brand
> of OWASP
> b) offer the training at the RSA conference unchanged under the brand
> of OWASP and OWASP makes a public statement that OWASP thinks
> weakening crypto is a bad idea. (personal note: btw. RSA should have
> no problem with that as they officially deny any such activities...)
> c) give the training as individuals and not as OWASP (not sure whether
> that would at all be possible at this point)
> d) try to move to a different venue (not sure whether that would be
> possible or financially viable)
> e) cancel the training.
> Any more proposals? Anything I missed?
> As best would be to have as few options as possible and only realistic
> ones, we should check with Sarah whether c and d are realistic at all,
> as we could then reduce the choice to between a/b and e.
> Or in the form of two choices:
> 1. "Should OWASP give a developer training at the RSA conference?"  -
> Choice: Yes/No
> 2. Should OWASP make a public statement to the effect that
> subverting/weakening crypto is a bad idea. - Choice: Yes/No
> Thanks and all the best, Tobias
> Tobias Gondrom
> OWASP Global Board Member
> On 05/01/14 22:50, L. Gustavo C. Barbato wrote:
>> Dinis,
>>   That's what I am talking about. Perhaps, my english is not good
>> enough to be understood.
>>    The question would be simple with only two possible answers, Yes
>> or No: "Should OWASP participate on RSA's conference?"
>> Thanks,
>> Gustavo.
>> On 05/01/2014, at 20:43, Dinis Cruz <dinis.cruz at owasp.org
>> <mailto:dinis.cruz at owasp.org>> wrote:
>>> I think a vote would be good , but the key is making sure the
>>> question(s) are neutral and balanced (ie the outcome of the vote is
>>> very dependent on how the question(s) are asked)
>>> And as I said many times before, the Center of gravity for OWASP
>>> should be with its leaders (and community) and not with the board,
>>> so a vote is a good way to make sure the leader's voice is heard (on
>>> related topic I also think that votes should be 'on the record' and
>>> public). Note : if we are going to have a thread about voting, its
>>> better to change the email thread subject
>>> On 5 Jan 2014 22:36, "L. Gustavo C. Barbato" <lgbarbato at owasp.org
>>> <mailto:lgbarbato at owasp.org>> wrote:
>>>     Have you ever heard about plesbicite?
>>>     This discussion is one example: we have given power to board
>>>     members to take decision on behalf of our community. So if they
>>>     want to present, in your belief, they can go ahead without this
>>>     useless thread discussion.
>>>     However, I dont believe this is useless , but a very strategic
>>>     decision with several point of views already presented here.
>>>     That's why I am advocating that we vote as a plebiscite process
>>>     where board members have the same Power as everybody else here.
>>>     Gustavo.
>>>     On 05/01/2014, at 15:59, Konstantinos Papapanagiotou
>>>     <konstantinos at owasp.org <mailto:konstantinos at owasp.org>> wrote:
>>>>     This kind of democracy might have worked in ancient Athens
>>>>     (with pros and cons) but nowadays we have a BoD and a CEO for
>>>>     such kind of decisions.
>>>>     Kostas
>>>>     On Sunday, January 5, 2014, L. Gustavo C. Barbato wrote:
>>>>         Keeping discussing philosophy and high ideals, we will
>>>>         never reach a consensus in the time frame we need, so let's
>>>>         let democracy wins the debay.
>>>>         On 05/01/2014, at 11:38, Josh Sokol <josh.sokol at owasp.org>
>>>>         wrote:
>>>>>         A key differentiator when we did this free training at
>>>>>         AppSecUSA in Austin and LASCON 2013 is that it was 100%
>>>>>         free and open to all.  No conference pass was required to
>>>>>         participate.  Since that is not the case here, and since
>>>>>         the training is only open to RSA attendees, then I think
>>>>>         this demonstrates a much closer tie between OWASP and RSA
>>>>>         than I would like to see.  I like the idea of approaching
>>>>>         BSides SF and seeing if maybe they would be interested in
>>>>>         hosting this training for free for the community at
>>>>>         large.  If we can do that, then I think its the true win
>>>>>         here as we get the visibility to satisfy our mission and
>>>>>         we remove the negative stigma of being associated with RSA.
>>>>>         I would diaagree, however, that visibility is only a means
>>>>>         to an end.  Since its in our mission statement, all of our
>>>>>         activities and prioritizations are required, by law, to
>>>>>         follow that.  And if we ever reach the point where
>>>>>         everyone, everywhere, knows about application security,
>>>>>         then we can close up shop and move on.  There is no
>>>>>         compromising the end goal here because, per the mission
>>>>>         statement, visibility is the end goal.  I'm sorry if that
>>>>>         compromises your principals Sastry but its the truth about
>>>>>         OWASP as a non-profit.
>>>>>         ~josh
>>>>>         On Jan 5, 2014 12:32 AM, "Sastry Tumuluri"
>>>>>         <sastry.tumuluri at owasp.org> wrote:
>>>>>             1. The immediate focus on RSAC:
>>>>>             No matter how we rationalize, the fact is that we
>>>>>             (OWASP) have
>>>>>             options. This, at worst, is one missed opportunity. So
>>>>>             let us not, in
>>>>>             our relentless pursuit of VISIBILITY, compromise on
>>>>>             principles.
>>>>>             VISIBILITY is a means to an end (better security, more
>>>>>             secure software
>>>>>             -- which in itself is likely a never-ending activity).
>>>>>             Let us not
>>>>>             compromise on the end-goal while chasing the means.
>>>>>             Short term gains (of reaching some developers) will
>>>>>             easily be lost if
>>>>>             we take the low road. Even 300 more "aware" developers
>>>>>             are for naught
>>>>>             if, based on RSAC acceptance, just one more company
>>>>>             feels that the
>>>>>             risks of trucking with NSA/GCHQ and compromising
>>>>>             underlying
>>>>>             foundations are acceptable.
>>>>>             Is it our job/charter to "convey such a message"? I
>>>>>             believe so.
>>>>>             Conversely, can we say "we merely advocate tech
>>>>>             principles and
>>>>>             educate... this is not for us"? If we want to be
>>>>>             treated as a
>>>>>             responsible member of the ecosystem, we can't duck
>>>>>             like that.
>>>>>             Related, but a slightly different perspective: Robert
>>>>>             Graham's blog
>>>>>             post on this:
>>>>>             http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
>>>>>             2. The tough world of principles, ethics, etc:
>>>>>             Jim Manico raised a very pertinent point regarding
>>>>>             sending mixed
>>>>>             messages (=> recognition-of and
>>>>>             consistency-in-applying our
>>>>>             principles). It isn't easy.
>>>>>             Funding goes to the very heart of neutrality and
>>>>>             ethics. So it is not
>>>>>             so tangential, after all. I know we shouldn't accept
>>>>>             funds or even
>>>>>             projects from NSA, GCHQ, etc. Whether DHS is to be
>>>>>             painted by the same
>>>>>             brush, I don't know (depends on internal structure,
>>>>>             etc.). Let the
>>>>>             more knowledgeable people decide on this.
>>>>>             Chasing "quick results at any cost" and then splitting
>>>>>             hairs on
>>>>>             legality and rationalizations will not paint us black;
>>>>>             but will surely
>>>>>             park us firmly in the gray areas of ethics. Is that
>>>>>             what we want?
>>>>>             Cheers,
>>>>>             ==Sas3==
>>>>>             On Sun, Jan 5, 2014 at 8:33 AM, Josh Sokol
>>>>>             <josh.sokol at owasp.org> wrote:
>>>>>             > My apologies in the delay in responding to this.
>>>>>              I've been on the road all
>>>>>             > day today and will be slow to respond tomorrow as well.
>>>>>             >
>>>>>             > First off, let me admit that while my term hadn't
>>>>>             officially begun yet, I am
>>>>>             > one of the Board members who encouraged Jim and Eoin
>>>>>             to move forward with
>>>>>             > the training.  My rationale for this was simple;
>>>>>             OWASP's mission is to make
>>>>>             > software security visible, so that individuals and
>>>>>             organizations worldwide
>>>>>             > can make informed decisions about true software
>>>>>             security risks.  The core of
>>>>>             > this statement being VISBILITY.  We need to find and
>>>>>             take advantage of as
>>>>>             > many ways as possible to raise the visibility of
>>>>>             security risks.  Our
>>>>>             > mission says nothing about making political
>>>>>             statements.  It says nothing
>>>>>             > about ethical business practices.  Our mission can
>>>>>             certainly 
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/29937998/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/29937998/attachment-0001.bin>

More information about the OWASP-Leaders mailing list